Don’t Trust That Passcode

Ryan Naraine reported over at ZDNet Zero Day on a new iPhone vulnerability which lets anyone have full access to the majority of iPhone functionality despite your clever 4-digit passcode lock.

As mentioned by “greenmymac” and covered by The Register, full access to contacts (and, hence, browser, e-mail, SMS…) is as simple as a press of the “Emergency Call” key from the passcode entry screen, followed by a double-tap on the home button, which – as The Register puts it – “takes the miscreant into favourites…” (why we in the States leave out the “u” is a sad mystery).

As Alex Hutton points out, you can mitigate the threat by disabling the “home button double-tap” feature of your device.

Ryan gave the CVE database a scan and noticed that this is not Apple’s first encounter with this error. CVE-2008-0034, which was identified back in January and fixed in the 1.x series firmware, noted this issue and is yet-another sign of Apple’s lack of commitment to security on the iPhone (guess they should have fixed more than just bugs in 2.0.2).

It would be greatly appreciated if any readers in an enterprise configuration (i.e. with a stronger passcode and a centralized provisioning environment) would drop a note in the comments letting me (and other TAB readers) know if you are impacted by this vulnerability as well. All TAB readers are invited to post your your thoughts in the comments on Apple’s latest security faux-pax.

loading

Comments have been disabled for this post